--- # Project source code URL: https://github.com/nextcloud/server nextcloud_enabled: true nextcloud_identifier: nextcloud nextcloud_scheme: https # The fully-qualified name of your Nextcloud server (e.g. `nextcloud.example.com`) nextcloud_hostname: '' nextcloud_path_prefix: / nextcloud_initial_admin_username: admin nextcloud_initial_admin_password: '' nextcloud_version: 30.0.0 nextcloud_uid: '' nextcloud_gid: '' nextcloud_systemd_required_services_list: "{{ nextcloud_systemd_required_services_list_default + nextcloud_systemd_required_services_list_auto + nextcloud_systemd_required_services_list_custom }}" nextcloud_systemd_required_services_list_default: ['docker.service'] nextcloud_systemd_required_services_list_auto: [] nextcloud_systemd_required_services_list_custom: [] nextcloud_systemd_wanted_services_list: "{{ nextcloud_systemd_wanted_services_list_default + nextcloud_systemd_wanted_services_list_auto + nextcloud_systemd_wanted_services_list_custom }}" nextcloud_systemd_wanted_services_list_default: [] nextcloud_systemd_wanted_services_list_auto: [] nextcloud_systemd_wanted_services_list_custom: [] nextcloud_base_path: "{{ nextcloud_base_path }}/nextcloud" nextcloud_config_path: "{{ nextcloud_base_path }}/config" nextcloud_data_path: "{{ nextcloud_base_path }}/data" nextcloud_redis_session_ini_path: "{{ nextcloud_base_path }}/redis-session.ini" nextcloud_customized_container_src_path: "{{ nextcloud_base_path }}/customized-container-src" # Preview generator setup # # Enable the variable nextcloud_preview_enabled and you are good to go. # # Some important aspects of usage: # - the preview generator has two stages [according to their readme](https://github.com/nextcloud/previewgenerator) # - a generate-all phase, which has to be executed only a single time # - a pre-generate phase, that should be run in a cronjob. # That runs quite fast if the generate-all phase finishd. # We do not want to run the generate-all phase multiple times, so its execution has to be followed somehow. # This is done by creating a file on the host side and both the task that executes generate-all # and both the cronjob checks its existance. # # Multiple vaiables are also defined and the corresponding default values are also set. # These values are based on the [upstream readme](https://github.com/nextcloud/previewgenerator) and also on experience. # Feel free to change anything. # # Once installed, the playbook needs to be called with the `post-install-nextcloud` tag. # This tag sets up the variables and calls the generate-all script, that will also create the file---signalling # its finished state---on the host. # *** As this may take a long time, be sure to only call it when you have time to leave it running!!! *** # The playbook calls generate-all asynchronously, but it will timeout after about 27h. # On 60GBs, most if images, it took about 10 minutes to finish. # If it takes more time, you may want to start it from the host by calling # ```sh # /usr/bin/env docker exec mash-nextcloud-server php /var/www/html/occ preview:generate-all # ``` # # If the nextcloud_preview_enabled value is set back to false, the host side files are cleaned up # and also the cron job is changed, not to call prevew generation again however, the database and generated # previews are kept intact. nextcloud_preview_enabled: false nextcloud_preview_folder_name: "preview-generator" nextcloud_preview_docker_folder: "/{{ nextcloud_preview_folder_name }}" nextcloud_preview_host_folder: "{{ nextcloud_customized_container_src_path }}/{{ nextcloud_preview_folder_name }}" nextcloud_preview_first_run_finished_filename: "finished-first-run.keepit" nextcloud_preview_preview_max_x: null nextcloud_preview_preview_max_y: null nextcloud_preview_app_jpeg_quality: 80 # nextcloud_container_image_customizations_enabled controls whether a customized Nextcloud image will be built. # # We toggle this variable to `true` when certain features which require a custom build are enabled. # Feel free to toggle this to `true` yourself and specify build steps in `nextcloud_container_image_customizations_dockerfile_body_custom`. # # See: # - `roles/nextcloud-server/templates/customizations/Dockerfile.j2` # - `nextcloud_container_image_customizations_dockerfile_body_custom` # - `nextcloud_container_image_customized` # - `nextcloud_container_image_final` nextcloud_container_image_customizations_enabled: | {{ ( nextcloud_container_image_customizations_php_imagick_installation_enabled or nextcloud_container_image_customizations_samba_enabled or nextcloud_container_image_customizations_packages_to_install | length > 0 ) }} # SVG support for imagick can be setup like this: # https://docs.nextcloud.com/server/24/admin_manual/configuration_server/theming.html?highlight=libmagickcore%20q16%20extra#theming-of-icons # However, using Imagick may have a negative effect on security, that is the reason # behind not installing it by default. See: # https://github.com/nextcloud/server/issues/13099 # Tread wisely! nextcloud_container_image_customizations_php_imagick_installation_enabled: false nextcloud_container_image_customizations_php_imagick_installation_packages: ['libmagickcore-6.q16-6-extra'] # Samba (SMB) support for Windows fileshares can be setup using the toggle below, which # installs the smbclient package per the example here https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/smb/apache/Dockerfile # Also see ../../templates/customizations/Dockerfile.j2 nextcloud_container_image_customizations_samba_enabled: false nextcloud_container_image_customizations_samba_packages: ['procps', 'smbclient'] # A list of packages to install in the customized Nextcloud container image. # To add your own, use `nextcloud_container_image_customizations_packages_to_install_custom` nextcloud_container_image_customizations_packages_to_install: "{{ (nextcloud_container_image_customizations_packages_to_install_auto + nextcloud_container_image_customizations_packages_to_install_custom) | unique }}" nextcloud_container_image_customizations_packages_to_install_auto: | {{ (nextcloud_container_image_customizations_php_imagick_installation_packages if nextcloud_container_image_customizations_php_imagick_installation_enabled else []) + (nextcloud_container_image_customizations_samba_packages if nextcloud_container_image_customizations_samba_enabled else []) }} nextcloud_container_image_customizations_packages_to_install_custom: [] # nextcloud_container_image_customizations_dockerfile_body_custom contains your custom Dockerfile steps # for building your customized Nextcloud image based on the original (upstream) image (`nextcloud_container_image`). # A `FROM ...` clause is included automatically so you don't have to. # # Example: # nextcloud_container_image_customizations_dockerfile_body_custom: | # RUN echo 'This is a custom step for building the customized container image for Nextcloud.' # RUN echo 'You can override nextcloud_container_image_customizations_dockerfile_body_custom to add your own steps.' # RUN echo 'You do NOT need to include a FROM clause yourself.' nextcloud_container_image_customizations_dockerfile_body_custom: '' nextcloud_container_image: "{{ nextcloud_container_image_registry_prefix }}nextcloud:{{ nextcloud_container_image_tag }}" nextcloud_container_image_tag: "{{ nextcloud_version }}-apache" nextcloud_container_image_force_pull: "{{ nextcloud_container_image.endswith(':latest') }}" nextcloud_container_image_registry_prefix: docker.io/ # nextcloud_container_image_customized is the name of the locally built Nextcloud image # which adds various customizations on top of the original (upstream) Nextcloud image. # This image will be based on the upstream `nextcloud_container_image` image, only if `nextcloud_container_image_customizations_enabled: true`. nextcloud_container_image_customized: "localhost/nextcloud:{{ nextcloud_container_image_tag }}-customized" # nextcloud_container_image_final holds the name of the Nextcloud image to run depending on whether or not customizations are enabled. nextcloud_container_image_final: "{{ nextcloud_container_image_customized if nextcloud_container_image_customizations_enabled | bool else nextcloud_container_image }}" # A list of extra arguments to pass to the container nextcloud_container_extra_arguments: [] # Controls whether the nextcloud-apache container's memory usage # is limited and to what extent. # # When set, these options are passed to `docker run` # as `--memory=..` and `--memory-swap=..` respectively. # # Expected value format is `[integer][unit]`. E.g. 100M, 1G # # If `nextcloud_container_memory_swap_limit` is set, # it represents the total memory that can be used (memory + swap), # so it must always be at least as large as `nextcloud_container_memory_limit`. # To disable swapping, make it the same as `nextcloud_container_memory_limit`. nextcloud_container_memory_limit: "" nextcloud_container_memory_swap_limit: "" # Controls whether the nextcloud-apache container exposes its HTTP port (tcp/80 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:37150"), or empty string to not expose. nextcloud_container_http_host_bind_port: "" # nextcloud_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. # # To inject your own other container labels, see `nextcloud_container_labels_additional_labels`. nextcloud_container_labels_traefik_enabled: true nextcloud_container_labels_traefik_docker_network: '' nextcloud_container_labels_traefik_hostname: "{{ nextcloud_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/nextcloud`). nextcloud_container_labels_traefik_path_prefix: "{{ nextcloud_path_prefix }}" # Controls whether `/.well-known/{carddav,caldav}` will be redirected to `/remote.php/dav/` nextcloud_container_labels_traefik_dav_redirect_regex_enabled: true nextcloud_container_labels_traefik_rule: "Host(`{{ nextcloud_container_labels_traefik_hostname }}`){% if nextcloud_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ nextcloud_container_labels_traefik_path_prefix | quote }}`){% endif %}" nextcloud_container_labels_traefik_priority: 0 nextcloud_container_labels_traefik_entrypoints: web-secure nextcloud_container_labels_traefik_tls: "{{ nextcloud_container_labels_traefik_entrypoints != 'web' }}" nextcloud_container_labels_traefik_tls_certResolver: default # noqa var-naming # Controls which additional headers to attach to all HTTP requests. # To add your own custom request headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom` nextcloud_container_labels_traefik_additional_request_headers: "{{ nextcloud_container_labels_traefik_additional_request_headers_auto | combine(nextcloud_container_labels_traefik_additional_request_headers_custom) }}" nextcloud_container_labels_traefik_additional_request_headers_auto: | {{ {} | combine ({'Front-End-Https': 'on'} if nextcloud_scheme == 'https' else {}) }} nextcloud_container_labels_traefik_additional_request_headers_custom: {} # Controls which additional headers to attach to all HTTP responses. # To add your own custom response headers, use `nextcloud_container_labels_traefik_additional_response_headers_custom` nextcloud_container_labels_traefik_additional_response_headers: "{{ nextcloud_container_labels_traefik_additional_response_headers_auto | combine(nextcloud_container_labels_traefik_additional_response_headers_custom) }}" nextcloud_container_labels_traefik_additional_response_headers_auto: | {{ {} | combine ({'X-XSS-Protection': nextcloud_http_header_xss_protection} if nextcloud_http_header_xss_protection else {}) | combine ({'X-Frame-Options': nextcloud_http_header_frame_options} if nextcloud_http_header_frame_options else {}) | combine ({'X-Content-Type-Options': nextcloud_http_header_content_type_options} if nextcloud_http_header_content_type_options else {}) | combine ({'Content-Security-Policy': nextcloud_http_header_content_security_policy} if nextcloud_http_header_content_security_policy else {}) | combine ({'Permission-Policy': nextcloud_http_header_content_permission_policy} if nextcloud_http_header_content_permission_policy else {}) | combine ({'Strict-Transport-Security': nextcloud_http_header_strict_transport_security} if nextcloud_http_header_strict_transport_security and nextcloud_container_labels_traefik_tls else {}) }} nextcloud_container_labels_traefik_additional_response_headers_custom: {} # A list of middlewares to add to the service. # Add your own via the `nextcloud_container_labels_traefik_http_middlewares_custom` variable. nextcloud_container_labels_traefik_http_middlewares: "{{ nextcloud_container_labels_traefik_http_middlewares_default + nextcloud_container_labels_traefik_http_middlewares_auto + nextcloud_container_labels_traefik_http_middlewares_custom }}" nextcloud_container_labels_traefik_http_middlewares_default: | {{ ([{ 'priority': 1000, 'name': (nextcloud_identifier + '-slashless-redirect'), 'type': 'redirectregex', 'config': { 'regex': '^(' + nextcloud_container_labels_traefik_path_prefix | quote + ')$', 'replacement': '${1}/', }, }] if nextcloud_container_labels_traefik_path_prefix != '/' else []) + ([{ 'priority': 2000, 'name': (nextcloud_identifier + '-dav-redirectregex'), 'type': 'redirectregex', 'config': { 'permanent': 'true', 'regex': ('^' + nextcloud_scheme + '://' + nextcloud_hostname | quote + '/.well-known/(?:card|cal)dav$'), 'replacement': (nextcloud_scheme + '://' + nextcloud_hostname + '/remote.php/dav/'), }, }] if nextcloud_container_labels_traefik_dav_redirect_regex_enabled else []) + ([{ 'priority': 3000, 'name': (nextcloud_identifier + '-strip-prefix'), 'type': 'stripprefix', 'config': { 'prefixes': nextcloud_container_labels_traefik_path_prefix, }, }] if nextcloud_container_labels_traefik_path_prefix != '/' else []) + ([{ 'priority': 4000, 'name': (nextcloud_identifier + '-add-request-headers'), 'type': 'headers', 'config_key_prefix': 'customrequestheaders.', 'config': nextcloud_container_labels_traefik_additional_request_headers, }] if nextcloud_container_labels_traefik_additional_request_headers.keys() | length > 0 else []) + ([{ 'priority': 5000, 'name': (nextcloud_identifier + '-add-response-headers'), 'type': 'headers', 'config_key_prefix': 'customresponseheaders.', 'config': nextcloud_container_labels_traefik_additional_response_headers, }] if nextcloud_container_labels_traefik_additional_response_headers.keys() | length > 0 else []) }} nextcloud_container_labels_traefik_http_middlewares_auto: [] nextcloud_container_labels_traefik_http_middlewares_custom: [] # nextcloud_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # # Example: # nextcloud_container_labels_additional_labels: | # my.label=1 # another.label="here" nextcloud_container_labels_additional_labels: '' # nextcloud_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container. # # Example: # nextcloud_container_additional_environment_variables: | # VAR=1 # ANOTHER=value nextcloud_container_additional_environment_variables: '' # A list of additional "mounts" to be mounted in the container. # Contains definition objects like this: # nextcloud_container_additional_mounts: # - "type=bind|volume|tmpfs,source=/outside,target=/inside,readonly,bind-propagation=slave" nextcloud_container_additional_mounts: [] nextcloud_container_network: "{{ nextcloud_identifier }}" # A list of additional container networks that the container would be connected to. # The playbook does not create these networks, so make sure they already exist. nextcloud_container_additional_networks: "{{ nextcloud_container_additional_networks_auto + nextcloud_container_additional_networks_custom }}" nextcloud_container_additional_networks_auto: [] nextcloud_container_additional_networks_custom: [] nextcloud_database_type: postgres nextcloud_database_hostname: '' nextcloud_database_port: 5432 nextcloud_database_name: nextcloud nextcloud_database_username: '' nextcloud_database_password: '' # Controls the maintenance_window_start configuration parameter. # See: https://docs.nextcloud.com/server/29/admin_manual/configuration_server/background_jobs_configuration.html nextcloud_config_parameter_maintenance_window_start: 1 # A list of configuration parameters for Nextcloud. # To define your own, we advise editing `nextcloud_config_additional_parameters`. nextcloud_config_parameters: "{{ nextcloud_config_default_parameters + nextcloud_config_additional_parameters }}" # Default configuration parameters to apply to Nextcloud. # To add your own additional parameters, use `nextcloud_config_additional_parameters`. # To get rid of these defaults, redefine `nextcloud_config_default_parameters` or `nextcloud_config_parameters`. nextcloud_config_default_parameters: | {{ ([ { 'key': 'trusted_domains 1', 'value': nextcloud_hostname, 'type': 'string', }, { 'key': 'overwriteprotocol', 'value': 'https', 'type': 'string', }, { 'key': 'overwrite.cli.url', 'value': nextcloud_url, 'type': 'string', }, { 'key': 'overwritewebroot', 'value': ('' if nextcloud_path_prefix == '/' else nextcloud_path_prefix), 'type': 'string', }, { 'key': 'htaccess.RewriteBase', 'value': nextcloud_path_prefix, 'type': 'string', }, { 'key': 'auth.bruteforce.protection.enabled', 'value': false, 'type': 'boolean', }, { 'key': 'maintenance_window_start', 'value': nextcloud_config_parameter_maintenance_window_start, 'type': 'integer', }, ]) + ([ { 'key': 'mail_smtphost', 'value': nextcloud_config_parameter_mail_smtphost, 'type': 'string', }, ] if nextcloud_config_parameter_mail_smtphost != '' else []) + ([ { 'key': 'mail_smtpport', 'value': nextcloud_config_parameter_mail_smtpport | int, 'type': 'int', }, ] if nextcloud_config_parameter_mail_smtpport != '' else []) + ([ { 'key': 'mail_smtpsecure', 'value': nextcloud_config_parameter_mail_smtpsecure, 'type': 'string', }, ] if nextcloud_config_parameter_mail_smtpsecure != '' else []) + ([ { 'key': 'mail_smtpauth', 'value': nextcloud_config_parameter_mail_smtpauth, 'type': 'boolean', }, ] if nextcloud_config_parameter_mail_smtpauth else []) + ([ { 'key': 'mail_smtpname', 'value': nextcloud_config_parameter_mail_smtpname, 'type': 'string', }, ] if nextcloud_config_parameter_mail_smtpname else []) + ([ { 'key': 'mail_smtppassword', 'value': nextcloud_config_parameter_mail_smtppassword, 'type': 'string', }, ] if nextcloud_config_parameter_mail_smtppassword else []) + ([ { 'key': 'mail_from_address', 'value': nextcloud_config_parameter_mail_from_address, 'type': 'string', }, ] if nextcloud_config_parameter_mail_from_address != '' else []) + ([ { 'key': 'mail_domain', 'value': nextcloud_config_parameter_mail_domain, 'type': 'string', }, ] if nextcloud_config_parameter_mail_domain != '' else []) }} nextcloud_config_parameter_mail_smtphost: '' nextcloud_config_parameter_mail_smtpport: '' nextcloud_config_parameter_mail_smtpsecure: '' nextcloud_config_parameter_mail_smtpauth: false nextcloud_config_parameter_mail_smtpname: '' nextcloud_config_parameter_mail_smtppassword: '' # nextcloud_config_parameter_mail_from_address and nextcloud_config_parameter_mail_domain # contain the @-separated email address of the sender (localpart@domain). nextcloud_config_parameter_mail_from_address: '' # localpart nextcloud_config_parameter_mail_domain: '' # domain # Add your custom Nextcloud configuration parameters here. # # Example: # nextcloud_config_additional_parameters: # - key: mail_smtphost # value: smtp.example.com # type: string nextcloud_config_additional_parameters: [] # nextcloud_cron_schedule contains a systemd OnCalendar definition which controls how often `cron.timer` runs # The default value means 'every 15 minutes'. # Learn more here: https://man.archlinux.org/man/systemd.time.7 nextcloud_cron_schedule: '*:0/15:0' #enable auto updates for nextcloud apps nextcloud_auto_app_update_enabled: false # nextcloud_auto_app_update_schedule contains a systemd OnCalendar definition which controls how often `app-update.timer` runs # The default value means 'every day at 00:00'. # Learn more here: https://man.archlinux.org/man/systemd.time.7 nextcloud_auto_app_update_schedule: '*-*-* 00:00:00' # Specifies the value of the `X-XSS-Protection` header # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected nextcloud_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options nextcloud_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options nextcloud_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy nextcloud_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy nextcloud_http_header_content_permission_policy: "{{ 'interest-cohort=()' if nextcloud_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security nextcloud_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if nextcloud_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # # Learn more about what it is here: # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network # - https://amifloced.org/ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `nextcloud_content_permission_policy` nextcloud_floc_optout_enabled: true # Controls if HSTS preloading is enabled # # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and # indicates a willingness to be "preloaded" into browsers: # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` # For more information visit: # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `nextcloud_http_header_strict_transport_security` nextcloud_hsts_preload_enabled: false # Collabora Online integration. # See the `collabora-online` role. nextcloud_collabora_app_wopi_url: '' nextcloud_collabora_app_wopi_allowlist: '10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16' # Redis intergration. nextcloud_redis_hostname: '' nextcloud_redis_port: 6379